back to article Dixons Carphone: Yeah, so, about that hack we said hit 1.2m records? Multiply that by 8.3

Dixons Carphone today admitted that the data breach it discovered last month affected nine times as many people as first believed. The retailer 'fessed up to the hack in June this year, saying that it had involved 5.9 million payment cards and 1.2 million personal data records. However, in a statement issued today (PDF), …

  1. Kaltern
    FAIL

    "We're disappointed in having fallen short here, and very sorry for any distress we've caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us."

    You failed.

    I'm getting very tired of these mass data breaches without any real consequence to the companies involved. I know that people should probably be not giving them this info, but I wonder how much is by choice - after all, if you buy something, you need to give your details, and I'm pretty sure you don't get an option to opt-in to the site keeping them.

    It's high time CEO's were held directly responsible for these issues.

    1. wolfetone Silver badge

      Why stop with the CEO's? Sack the board too.

    2. Anonymous Coward
      Anonymous Coward

      10 million customers too late for that statement.

    3. Anonymous Coward
      Anonymous Coward

      It's high time CEO's were held directly responsible for these issues.

      Baldock is a former banker, so I wouldn't cry if he were drowned in sewage, but since he only joined Dixons Carphone in January of this year, we'd be disposing of him for fun, rather than punishing those accountable for the Dixons Carphone data breach in question.

      1. Fred Dibnah

        It would be fun, but it might also make people do proper research and think twice before slithering from one company to another, and as a result ‘encourage’ incumbents to keep their house in order.

    4. Geoff May (no relation)

      Re: It's high time CEO's were held directly responsible for these issues

      They will find some poor technician and blame it all on that person and then they'll say they found the culprit so holding them responsible is unfair, where's my additional bonus for finding the culprit etc. etc. etc.

    5. Anonymous Coward
      Anonymous Coward

      'Without any real consequence to the companies involved'

      Even worse.... No consequences for senior staff or executives and their bonuses. This is no different from robo callers who phoenix their firms to escape fines. The game is rigged. Fuck govt for letting this happen because of who they play golf with!

    6. Derezed
      Mushroom

      "I know that people should probably be not giving them this info"

      Very easy to say. I have just had a demand from a pension provider to send them copies of my passport and driving license which they are legally required to keep "on file" (i.e. in some unlocked draw) for 5 years or the length of my business with them (i.e. when I die).

      I told them to fuck off so they can't provide me with a service.

      When the state makes it the law that all of these pissant (and not so pissant) companies demand copies of your nut sack imprint, is it any wonder that every fraudster under the sun has your DNA on file?

      Dem gubment.

      1. Uberior

        I've just had a similar demand from a marketing company when I asked for them to provide evidence of consent for a campaign they were involved in.

        They demanded:-

        Passport

        Driver's Licence

        Council Tax Bill

        Bank Statement

        I have refused, so they are refusing to evidence consent. There's absolutely no way that I'm sending that level of detail so they can tell me where I ticked a box to receive spam. I've offered to go round to their head office and allow them to view the documents (but not take copies) - but that is "unacceptable" and they don't meet with "customers".

        Off to the regulator with a complaint I go.

        1. paulf
          Alert

          @ Derezed, Your pension provider is probably looking over their shoulder at the strict rules on verifying identity to prevent money laundering. That said the application of these rules varies wildly - some are happy to have a utility bill and a bank statement (I suspect difficult enough for many in the El Reg readership who get these electronically). In your case they've applied the rules much more strictly.

          @ Uberior

          Best of luck with your complaint. In your case with the marketing muppets they definitely have no right to ask for all that stuff and they know it. IANAL but you might like to look up the DPA clause that notes data processors should only collect and process data directly relevant to the matter in hand. Asking for passport and DL is way beyond that level IMO. Unfortunately the ICO tend to be like this too - you have to give them lots of identifying information to make a complaint against the spamming slime.

  2. SkippyBing

    Have I shopped with them?

    The problem with Dixons Warehouse is that they've merged so many companies I have no idea if I need to be worried that the details I used to buy a fridge 8 years ago may have been leaked. Although as I'd just moved at the time I doubt I even got the address right...

    1. Kaltern

      Re: Have I shopped with them?

      Which is why I get so irritated with this - companies have no business to be keeping your personal detail for that long without your express consent and knowledge - and not some sneaky weaselwording on the Checkout page like; 'We would like to pass your details on to carefully selected 3rd parties who might interest you. If you would not like for us to not do this, then please don't tick the box.'

      1. Mark 85

        Re: Have I shopped with them?

        'We would like to pass your details on to carefully selected 3rd parties who might interest you. If you would not like for us to not do this, then please don't tick the box.'

        It's usually the other way around: you have tick the box for the info NOT to be passed around. And also in some super small font that not's black but close to the background color. One would think that they don't want you to be able to opt out. Some sites have the box already ticked for "receiving" the ads/spam, etc. Depends, on the as you say, weaselwording.

        1. Fred Dibnah

          Re: Have I shopped with them?

          IANAGDPRExpert but I thought it required such selections to be opt in?

        2. LeahroyNake

          Re: Have I shopped with them?

          I am sure automatic opt in for marketing was against some regulations at one point. Yes that should count as automatically ticking the opt in box. Maybe GDPR legitimate business interest overrides that :o no fekkin idea to be honest it's all too much for me to comprehend when the cookie box pops up EVERYWHERE.

    2. Uberior

      Re: Have I shopped with them?

      They have been relentlessly selling data for years anyway.

      I tracked down the alleged consent for a spam marketing (for a high APR Credit card) to a company in Bristol who claimed to have been supplied with data from Dixons-Carphone. This was prior to GDPR so Dixons refused to disclose when I "ticked the box" unless I sent them £10...

      This isn't so much as 10,000,000 records "stolen", it's more just 10,000,000 records that Dixons aren't getting commission for.

  3. MrXavia

    While I am not sure if it was this hack, this month I had my card defrauded, I was told by my card supplier, it was most likely a hack at a retailer I used.

    So either its these guys, or keep an eye out for another big leak soon....

    What we need is auto-generated card numbers, so we can have a different card number to us to use at different online retailers, surely it wouldn't be that hard to do?

    1. SloppyJesse

      "What we need is auto-generated card numbers, so we can have a different card number to us to use at different online retailers, surely it wouldn't be that hard to do?"

      Cahoot tried this many years ago. You could 'create' a card with a specific limit and limited valid date. Worked, but I think the problem is volume of numbers needed.

      What is really required is a better authentication scheme. Chip and pin and secure code/verified by visa are better, but as long as people can fall back to simply entering a few non changing values there will be a huge hole that ne'er do wells will exploit.

    2. Lee D Silver badge

      That's basically how any Android-Pay like scheme works.

      My HSBC card got "another number" when entered into Android Pay, which is hidden even from me but used whenever there's a bonk-transaction.

      In theory, that code could change at will. But if you're relying on "super secret numbers" rather than "the user knows what's being done" then you have security back-to-front.

      Most EU banks text you immediately for every transaction. Except for the UK arms. Who only ever do it - if you're lucky - for transactions over, say, £500 or £1000.

      1. Is It Me

        Have a look at one of the challenger banks, my Monzo app. alerts me within seconds of it being used.

  4. Prst. V.Jeltz Silver badge

    didnt we just GDPR this out?

    I would have thought that that GDPR thing that arrived last month , and seemed to be a rehashed, re thought, updated set of laws for dealing with data privacy would have included these:

    1) An "unsubscribe" link that includes "delete all records of me in your database , including forum comments , product reviews, feedback scores etc etc"

    2) An option to "after this purchase delete my financial information"

    I guess (1) would have pissed off Facebook and other hoarders too much.

    1. Anonymous Coward
      Anonymous Coward

      Re: didnt we just GDPR this out?

      You can do this for all marketing and discretionary data, simply by writing or emailing the data controller of the company concerned, notifying them that you are exercising this right under GDPR.

      But bear in mind that for legal reasons, anybody you've had a non-cash financial transaction with has to keep relevant records in compliance with tax and audit requirements, so they are not allowed to delete those. That record retention is (broadly speaking) six years after the end of the relevant annual accounting period and is required by HMRC for tax and VAT purposes, and by the Companies Act for audit and compliance. So your payment details (in some form), your name address, order history won't be deleted on request.

      1. Prst. V.Jeltz Silver badge

        Re: didnt we just GDPR this out?

        why? by the time i get my money ive already paid tax on it , and the vendor will take vat regardless, my bank are recording where the money went (as are the vendor's bank) , and if using cash circumvents the whole thing anyway whats the point? The only result is dozens of people holding a copy of the key to my bank account!

  5. Herring` Silver badge

    Cost

    Given that this is pre-GDPR, the max fine would be £500K. And the cost of doing security properly? My guess is that they count this as a win.

    Even Equifax is still trading - a key indicator that there is no justice (yeah, I know that's mostly US). There's no way the authorities are able to say "Sorry, but you're just too crap to be trusted with PII".

    From the "probably a stupid idea" file, what if the ICO were able to employ a bunch of suitably gifted people (I nearly said "1337 h4x0rz" there) to actually test whether a company has actually sorted itself out rather than having to take their word for it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cost

      Given that this is pre-GDPR, the max fine would be £500K. And the cost of doing security properly? My guess is that they count this as a win.

      I doubt that. The costs to rectify the point of failure, undertaking an ICO compliant investigation, the loss of business from customers choosing to avoid you, costs of marketing to try and repair reputational damage all run into several tens of millions for an instance like this. They might be thinking that they got off with a low fine, but even post GDPR I expect that the costs to the business of a data breach will exceed what they will actually be fined.

      The problem is, the board of Dixons Carphone probably believed beforehand that they had a good, strong risk management framework, and that the IT was secure. Anybody that dealt with the board told them it was all hunky-dory, nobody on the board actually had much interest in ITSec. I'm not sure how we change that, but the lack of success in tackling either high level organised crime or low level nuisance like littering suggests that fines and imprisonment don't really act as a deterrent, and won't motivate boards to approach ITSec with any real skill or vigour.

      1. Herring` Silver badge

        Re: Cost

        Somewhere up the chain of command between the people who understand the tech and the board, some person will have been keen to "control costs" and be seen to be taking an interest in the bottom line.

        You're right about fines not being a deterrent. Hence my musings about whether ultimately the authorities should be able to shut an organisation down if it's repeated shown to be crap with people's data.

        1. Anonymous Coward
          Anonymous Coward

          Re: Cost

          Hence my musings about whether ultimately the authorities should be able to shut an organisation down if it's repeated shown to be crap with people's data.

          I like the concept, but if enforced equitably, long before any (significant) private sector business were shut down, the ICO would have shut down entire wings of the NHS, a range of local councils and police forces, and central government and civil service itself.

  6. Anonymous Coward
    Anonymous Coward

    I do have one thought about putting shareholders of these companies on the line too as surely that would give a financial incentive for them to sort it out since bonuses appear to be linked to share prices going ever upwards these days, if a company has too many of these data breaches and the share holders have money taken away from them because of this on a upwards scale I'm sure the money would be flowing out faster than shit on a shovel after the first breach and may actually make companies think about security as an investment rather than a cost.

    just a thought admittedly not a fully formed one yet

  7. adam payne

    In today's statement CEO Alex Baldock, who only started in April, said: "We're disappointed in having fallen short here, and very sorry for any distress we've caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us."

    Blah blah blah, same kind of statement different day.

    "We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing."

    At pace? Makes me think of people running around patching systems that were forgotten.

    I hope you are fully testing things before deploying them at pace.

  8. Doctor Syntax Silver badge

    "I want to assure them that we remain fully committed to making their personal data safe with us."

    Look here, el Reg. I'm fed up with you just rolling this sort of statement out like that.

    Will you please ask their PR people why, if they meant that, they allowed it to happen and tell them you won't publish their boilerplate at all unless they provide an answer to that question to publish alongside it.

    They shouldn't be allowed to get away with that crap. The only reason they do is that the media allow them to get away with it. Being allowed to get away with it just encourages them more to the point where Pester thought he could whitewash a major meltdown with some anodyne guff.

    1. Kevin Johnston

      Good point, the correct reporting should be along the lines of 'We asked for a response and they used the same rubbish as last time'.

      You get one chance to use that excuse and when the second breach hits you go into the 'Can't be trusted with personal data (or looking after the tea kitty)' category until you can prove you have really fixed it with independent testers.

    2. Anonymous Coward
      Anonymous Coward

      " Being allowed to get away with it just encourages them more to the point where Pester thought he could whitewash a major meltdown with some anodyne guff."

      To be fair, he's still in a job, so clearly has got away with it. And the stats I saw in the last week, TSB have gained more customers than they lost since the meltdown, suggesting that most people only tend to have short-term outrage :-|

    3. Cpt Blue Bear

      "Look here, el Reg. I'm fed up with you just rolling this sort of statement out like that."

      Agreed with bells on.

      I'd also like to ask what they are actually doing beyond issuing vague statements of intent.

  9. JimmyPage
    Stop

    New scammer SOP ?

    1) Trip big companys (ideally one with a pretty shit reputation to start with) data breach alert system.

    2) Wait for said big company to self-report, and hit the headlines

    3a) Flood the interwebs with your carefully crafted phishing emails that look like they are the sort of thing said big company would send out.

    and/or

    3b) Also hit the phones for some old school phishing.

    4) clean up.

    Notice how no data was lost - or needed - in the making of this scam.

  10. Anonymous Coward
    Anonymous Coward

    Antiquated IT systems

    Of course, this would have nothing to do with their absolutely antiquated IT systems would it? Their store tills run on Windows XP, oh and they have complete internet access on them as well through Chrome and IE.

    Those same tills have access to every single customer who has ever purchased from Carphone Warehouse.

    1. Roger Greenwood

      Re: Antiquated IT systems

      "Those same tills have access to every single customer who has ever purchased from Carphone Warehouse."

      Unless you paid cash (and some still do).

  11. teknopaul

    I dont think companies should be allowed to hold full credit card data.

    If they couldn't they would have to invent some simple app that requests you credit card for monthly purcheses that takes a one click response on a phone to send, for example, the back 8 numbers off the card.

    If you used it, this app would have your own cc numbers in your phone to support it. Each hack would result in one half of a cc number exposed instead of ten million full ones.

    Big companies, and them charities that take regular payments from granny, would not like it. But consumers would be happy to be asked politely before money is taken off them.

    1. Alister

      I don't think companies should be allowed to hold full credit card data.

      They aren't supposed to, if they want to be PCI-DSS compliant. But lots still do it, and even store them unencrypted as well.

      There are well established methods to make repeat payments using an authorisation token, which don't require the retailer to store the card details, and for one off payments the details shouldn't be stored at all.

      1. Mark 85

        A few (very few it seems) retailers here in the States have some signs posted at the till along the line of "your CC details will be erased when this transaction is completed". Do they? I have no idea but it at least indicates they knows there's crims out there that will bite them.

      2. Andy Humphreys

        Companies can store the PAN (16 digit number) and remain PCIDSS compliant, so long as it's properly protected and they comply to all the other requirements that jump in when storage of the PAN is chosen. They cannot store the sensitive data such as mag stripe data & CV2.

        But I would agree, there cannot be many situations left where anybody would absolutely need to keep the full PAN itself. Most if not all PSPs nowadays will provide a tokenisation option, and so any storage should be of the token, for any company that might need to carry out repeat payments etc.

  12. tiggity Silver badge

    Why did they keep so much data???

    They will have had mine at some point as I purchased a fridge from them and got it delivered - so they needed my address for delivery

    However, after it was delivered there's no need to keep those details live - they could be archived off at month end (if there are actually any legal reasons to keep it, which I doubt as signed a bit of paper saying delivery was OK so no need for data in digital form)

    Once archived it should be deleted from "live".

    Obviously archived data should not be easily accessible and ought to be structured in how stored, not one monolithic datasource!

    ..But we all know they smell cash from personal details (e.g. trying to flog overpriced insurance a while after purchase etc.) so keep the data (insecurely) when there is no real need other than potential monetization.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why did they keep so much data???

      Well, they have to keep most of the data as a legal requirement (see post further up). You make a very important point though, that they don't have to keep any of that live, other the current financial year.

      But why bother, when its only customer data?

      1. Alister

        Re: Why did they keep so much data???

        Well, they have to keep most of the data as a legal requirement (see post further up).

        Yes, they have to keep transaction records, but NOT the CC details, there is no requirement for that.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why did they keep so much data???

      As to why firms keep storing card details instead of purging them? ... Billing convenience. So they can always bill you, no matter what, without risk of mistake from repeated entry etc.

      1. Prst. V.Jeltz Silver badge

        Re: Why did they keep so much data???

        they legally have to thats why. According to the guy who answered my post of same question. 6 years .

  13. Anonymous Coward
    Anonymous Coward

    Do breaches ever get downgraded?

    Instead of just Downplayed... 'We thought it was 10m records, good news its only 1m'. No, cook the numbers until the story falls off the front page. Then tell the whole ugly truth. Does GDPR cover severity or number of revisions etc? And as for 'No evidence of fraud'? Would you please f$%k 'off. Past similar cases prove it can be years before the damage incubates:

    1. Anonymous Coward
      Anonymous Coward

      'it can be years before the damage incubates'

      "The case shows just how long data leaks can linger for the companies and governments who fall victim. In this case, we are more than three years on from the OPM's disclosure"

      https://www.theregister.co.uk/2018/06/19/opm_leak_fraudster_guilty/

  14. TheCityRoad

    Worth reading the ICO report on the breach....

    ... as the number of infosec 'how not to do it' instances leading to the inevitable car crash is instructive.

    A number of people mention the data retention, as though Carphone had been deliberatly keeping the information longer than necessary; the truth in a way was worse, they didn't realise they were retaining it after an external consultant running a test migration stored it all on an insecure web server db. It was there for years, fogotten about before the breach began.

  15. Crisp

    There is no evidence that any fraud has resulted

    Yet.

  16. Swiss Anton

    Secret questions & answers also at risk of hacking

    Earlier on today I had cause to access a streaming music service(**) that I hadn't used for a while. As part of the process I had to re-validate my account, and to do so, they asked me for the answer to a secret question (which I'd never set up). Fortunately there was a link on the same page to set the answers to my 3 secret questions. LOL what a fail. Anyway, there is no way I am going to give them my mum's maiden name (which is a real stupid question as my sister knows the answer to that, and the name of my first school, and the name of my first F*** ....) WTF WTF WTF. But even if I could chose the questions, what if these muppets got hacked? Then everyone would know my questions and answers.

    It wouldn't let me in unless I provided some answers to some obvious questions. In the end I gave up and gave the answers 1Banana! (*), 2Banana!, 3Banana! It seemed happy enough with these. From now and I reckon that I will use the same answers for all my non-essesial web sites.

    (*) I never realised my mum's maiden name was 1Banana!

    (**) optical melodies

    (***) Don't ask, but it wasn't my sister

  17. Tigra 07

    Taking tips from the Talk Talk school of getting hacked i see...Will this number be revised upwards again in a few days to cover all customers?

  18. Rainman

    06/04/2018 I ordered a GoPro from Curry's PC World on their website. I made absolutely sure I ticked (or unticked) all boxes to ensure I had opted out of all collection of my data for marketing purposes.

    13/04/2018 I get an email from CurrysPCWorldFeedback@maruedr.com asking me for feedback on my shopping experience.

    13/04/2018 Sent an email to Curry's PC World DPO explaining that I was unhappy with them sharing my data with a marketing outfit.

    16/04/2018 I get an email from Revoo asking me to review my GoPro that I purchased on a specified date from Currys PC World.

    16/04/2018 I contact both Maruedr and Curry's PC World continuing to express my displeasure at them being incredibly free and easy with my data and apparently ignoring any email I've sent reporting their own organised breach.

    20/04/2018 I get a response from Currys PC World DPO telling me they didn't share my data and that I'd received a phishing email.

    20/04/2018 I get another duplicate Revoo email.

    24/04/2018 Received an email from Currys explaining that they do share my data with third parties for the purpose of conducting surveys, etc.

    30/04/2018 I finally get an email from Maruedr (which, it turns out, is a legit if scummy marketing company) confirming that they received my details from Currys PC World (and they list them as a customer on their own website) and have deleted my data and have notified Curry's to do same and tell me to continuing any further correspondence through Currys.

    14/05/2018 Receive an email from Maruedr that they have finished deleting my data.

    This is still outstanding with Currys PC World and they haven't addressed my concerns, nor confirmed deletion of non-essential data, nor that they won't share it any more. About to report this to the ICO.

    This is how much they care about your privacy.

  19. sitta_europea Silver badge

    "We're disappointed in having fallen short here, and very sorry for any distress we've caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us."

    s/with/from;

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like